Attachment: Soda PDF producer with encryption themes

Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.

Sublime rule (View on GitHub)

 1name: "Attachment: Soda PDF producer with encryption themes"
 2description: "Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF.  The PDF contains a single link which has been observed linking to a credential phishing page."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_extension == "pdf"
 9          // observed producer
10          and any(file.explode(.), .scan.exiftool.producer == "Soda PDF")
11          and any(file.explode(.),
12                  // OCR contains "encryption" themes
13                  (
14                    strings.icontains(.scan.ocr.raw, "has been encrypted")
15                    or strings.icontains(.scan.ocr.raw, "encrypted pdf file")
16                    or strings.icontains(.scan.ocr.raw, "is secured by")
17                  )
18                  // mentions a PDF 
19                  and strings.contains(.scan.ocr.raw, "PDF")
20          )
21  )
22    
23
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "PDF"
28  - "Social engineering"
29detection_methods:
30  - "File analysis"
31  - "Optical Character Recognition"
32id: "af8eeca4-825a-5118-bba0-ab62425a5fcb"
to-top